LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   ipsec server on debian (https://www.linuxquestions.org/questions/linux-networking-3/ipsec-server-on-debian-601818/)

cristina_crow 11-23-2007 02:14 AM
ipsec server on debian
 
hello

first of all, I have performed a (short) search on the forum, but I could't find what I was looking for

I am trying to configure a security gateway on a debian

# uname -a
Linux ipsec01 2.6.22-2-686 #1 SMP Fri Aug 31 00:24:01 UTC 2007 i686 GNU/Linux

basically, this setup should know ipsec transport and tunneling on ipv4 and ipv6, to automatically negociate security association, based both on pre-shared

keys and on digital certificated, to crypt and authenticate traffic

the main features I am interested in are the ike v2 and isakmp logging

the tunneling will be done versus a cisco 6500

I have tried to create a transport mode config with ipsec-tools and racoon, I can start both daemons (running /etc/init.d/ipsec start and /etc/init.f/racoon

start I don't have any error messages), but when I ping the cisco from debian and viceversa, I can't see any negociation, only plain messages

ipsec-tools.conf file:

#!/usr/sbin/setkey -f

# NOTE: Do not use this file if you use racoon with racoon-tool
# utility. racoon-tool will setup SAs and SPDs automatically using
# /etc/racoon/racoon-tool.conf configuration.
#

## Flush the SAD and SPD
#
flush;
spdflush;

## Some sample SPDs for use racoon

spdadd 26.0.0.254 26.0.0.250 any -P out ipsec
esp/transport/require;

spdadd 26.0.0.250 26.0.0.254 any -P in ipsec
esp/transport/require;

#add 26.0.0.250 26.0.0.254 esp 15701 -E des-cbc "cheie"
#add 26.0.0.254 26.0.0.250 esp 24501 -E des-cbc "cheie"


racoon.conf file:

# NOTE: This file will not be used if you use racoon-tool(8) to manage your
# IPsec connections. racoon-tool will process racoon-tool.conf(5) and
# generate a configuration (/var/lib/racoon/racoon.conf) and use it, instead
# of this file.
#
# Simple racoon.conf
#
#
# Please look in /usr/share/doc/racoon/examples for
# examples that come with the source.
#
# Please read racoon.conf(5) for details, and alsoread setkey(8).
#
#
# Also read the Linux IPSEC Howto up at
# http://www.ipsec-howto.org/t1.html
#

#RACOON_OPTS="-4 -l /var/log/racoon.log"
#RACOON_CONF="/etc/racoon/racoon.conf"
#RACOON_PSK_FILE="/etc/racoon/psk.txt"
#SETKEY_CONF="/etc/ipsec-tools.conf"
#RACOON_RESET_TABLES="true"

path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";

padding
{
maximum_length 20;
randomize off;
strict_check off;
exclusive_tail off;
}

listen
{
isakmp 26.0.0.254[10];
#admin[7002];
#strict_address;
}

timer
{
counter 5;
interval 20 sec;
persend 1;

#cat astept pt. fiecare faza
phase1 90 sec;
phase2 90 sec;
}


# this is the debian peer

remote anonymous {
exchange_mode aggressive,main;
my_identifier address "26.0.0.254";
# doi ipsec_doi;
situation identity_only;

initial_contact on;
proposal_check obey;

proposal {
encryption_algorithm des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}

sainfo anonymous
{
pfs_group 2;
encryption_algorithm des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
lifetime time 3600 sec;
}


iptables allows all traffic:

iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination



when I ping the cisco from the debian, this is what I have in the /var/log/syslog file:

Nov 22 20:06:18 ipsec01 kernel: ip_tables: (C) 2000-2006 Netfilter Core Team
Nov 22 20:06:25 ipsec01 isakmpd[2983]: transport_send_messages: giving up on message 0x828ccc0, exchange ISAKMP-peer-west
Nov 22 20:06:25 ipsec01 isakmpd[2983]: transport_send_messages: either this message did not reach the other peer
Nov 22 20:06:25 ipsec01 isakmpd[2983]: transport_send_messages: or the responsemessage did not reach us back

cisco config looks like this:

crypto isakmp policy 10
hash md5
authentication pre-share
group 2
crypto isakmp key cheie address 20.0.0.254
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set IL esp-des esp-md5-hmac
!
crypto map IL 10 ipsec-isakmp
set peer 20.0.0.254
set transform-set IL
match address 100

and it is put on an interface

interface FastEthernet5/0
ip address 26.0.0.250 255.255.0.0
duplex auto
speed auto
crypto map IL
no shut


I have used online tutorials, but I do some wrong, obviously
could you please help me out with this?

thanks a lot


All times are GMT -5. The time now is 10:26 PM.